Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
1
Replies

ASA cluster failover - DMZ sub-interface failure

Oerlikon_NZ
Level 1
Level 1

‎10-07-2013 03:54 AM - edited ‎03-11-2019 07:48 PM

Hello.  Any thoughts on this?

The active ASA firewall failed over to the standby due to an 'interface failure' with a sub-interface. 

This monitored sub-interface (DMZ) is part of physical interface with several other sub-interfaces (DMZs) that are also monitored for failover.  None of these appeared to have failed at the same time however. It's just this one sub-interface that indicated as failed. 

The physical interface for the sub-interface is connected to a switch stack.  There were no problems with the physical interface on either the previously active firewall, or the switch stack.  According to monitoring, no problems indicated either with traffic/CPU/mem usage on either the firewall or the switch stack also during this time.  The VLAN on the switch for this firewall sub-interface is currently only active & trunked to the firewall cluster.  Hosts on the switch in this VLAN were removed a few weeks ago.  Again no problem with VLAN that I can see.

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-12-2013 12:43 PM

Hello

I would recommend to run

debug fo rxip

debug fo txip

to make sure that the hello packets are being exchanged as the timer says.

As you said it's odd but this things happens so double check that next time it happens, the trunk link , interface errors, etc.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card